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(57) Abstract: A network security system is deployed between an internet backbone (100) and imranels (190) thai belong to sub- 
scribing organizations. I1ie system includes a scanning system (130) that scans incoming electronic mail tor malicious code and an 
anti-virus server (ISO) for downloading anti-vinis code to clients on the intranets. A switch (1 10) is provided Tor directing incoming 
electronic mail from the internet backbone to the scanning system so that the electronic mail can be scanned. In one embodiment, 
a decoy server (160) is also provided for masquerading as a legitimate server and logging suspicious activity from communications 
received from the internet backbone. 
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NETWORK SECURITY ARCHITECTURE 
RELATED APPLICATIONS 

[Oil The present application is a continuation-in-part of U.S. Patent Application Serial 
Number 09/911,592 filed on July 24, 2001 (attorney docket number 09710-1007), the contents of 
^which are hereby incorporated by reference* 

FIELD OF THE INVENTION 

102] The present invention relates to computer security and more particularly to a network 
security architecture. 

BACKGROUND OF THE INVENTION 

(03] With the explosion of global, computer commimications spurred by the Internet, on-line 
organizations' need for protection against cyber^iminals and cyber-vandals has also been 
expanding. For example, data and network sabotage incidents continue to increase-by over 35% 
per year from 1997 to 1999. Financial fraud pesrpetrated on-line bas increased 25% in the same 
period. Viruses, worms, Trojan horses and other malicious code continue to plague enterprise 
and home users, and. many are global in scope, such as the infamous 'love bug** worm of 2000, 
Warfare has even gone on-line, with cybcr-terrorists in hot spots such as the Bslkans and the 
Middle East making attacks on web sites and servers, and as the avowed tool gf nation-states, 
notably the United States of America and the People's Republic of China, Mainstream press 
coverage of these events has heightened privacy and security concerns, hindering the widespread 
adoption of Internet commerce. 

. f04[ Accordingly, organizations need networic security to protect organizations from malicious 
attacks over the Inteftiet, whether by hackers or from viruses. In fact, the market for network 
security is expanding rapidly, reaching a projected value of $10 billion by the end of the year 
2001 . Unfortunately, most network security approaches are ad-hoc and implemented on an 
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organization-by-OTganization basis. These approaches not oaly tend to be staff-intensive and 
expensive^ but they also quickly become out-of-date, failing behind the malicious technology that 
is constantly being developed by hackera. As a result, there is an urgent need for a scalable, 
netWDik security architecture that can take advantage of economies of scale and simplii^ the 
provisioning of net^rork security services to organizations. 

SUMMARY QF THE INVENTION 

[05J This present invention addresses this and other needs by providing a scalable, layered^ 
netwoxk, system and application security architecture that comprises a combination of servor- 
based and client-based malicious code scanning components in conjunction with a firewall for 
divoting suspect traflBc to decoy server, and an overall security management system for attack 
correlation across the enterprise or network infirastiucture. This security architecture can be 
dqjloyed between the organization's intranet and internet backbone and can be shared l>etwecn 
various organizations, thereby providing the economies of scale that conventional network 
security solutions lack. 

[06] Accordingly, one aspect of the present uivention pertains to a network security system to 
be dq>loyed between intranets that belong to subscribing organizations and an internet backbonew 
Hie server-based component is a scazming system that scans incoming electronic mail for - 
malicious code. The client-based component is a malicious code detection FTP software server 
fox downloading anti-virus code to clients on the intranets. A switch is provided for directing 
incoming electronic mail firom the internet backbone to the scanning system so that the electronic 
mail can be scanned. In addition to the switch, a Denial of Sovice (DoS) or Distributed DOS 
scarming^filteriog switch may be employed to prevent diese specific attacks. la one embodiment, 
a decoy server is also provided for masquerading as a legitimate server and logging suspicious 
activity &om communications received from thc^ internet backbone. 

[07] Still other aspects, features, and advantages of the present invention are readily apparent 
from the following detailed description, simply by illustrating a number of particular 
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OTibodimeiits and implementations, including tbe best mode contemplated for carrying out the 
present invention. The present invention is also capable of other and different embodiments, and 
its several details can be modified in various obvious respects, all vrtthout departing from the 
spirit and scope of the present invention. Accordingly, the drawing and description are to be 
regarded as illustrative in nature, and not as restrictive. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[08] The present invention is illustrated by way of example, and not by way of limitation, in 
the figures of the accompanying drawings and in which like reference nimierab refer to similar 
elements and in which: 

(091 P^G- lisz block diagram of a network security architecture in accordance with om 
embodiment of the present invention. 

(lOJ FIG. 2 is a flowchart that illustrates an aoti-vinis scanning aspect of one embodiment of 
the present invaition. 

(Ill FIG' 3 is a flowchart that illustrates an anti-virus client distribution aspect of one 
embodiment of the present invention. 

H2J FIG. 4 is a flowchart that illustrates an intrusion decoy aspect of one embodiment of the 
present invention. 

113] FIG. 5 depicts a computer system that can be used to implement an embodiment of the 
present invention. 

DESC31IPTION OF THE PREFERRED EMBODIMENT 

[14] A system, method, and software for network security are described. In the following 
description, for the purposes of explanation, numerous specific details arc set forth in order to 
provide a thorough tmderstanding of the present invention. It is apparent, however, to one skilled 
in the art that the present invention may be practiced without these specific details or with an 
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equivalent arrangemeiit. In other instances, well-known structures and devices are shown in 
block diagram fonn in order to avoid unnecessarily obscuring the preset invention. 

NETWORK SBCURmr ARCHTIHCTORAL O VERVffiW 
[151 FIO. 1 is a block diagram of an exemplary network security architecture for combating 
viruses, malicious code, and other possible forms of attack from an outside user 101 via the 
Internet. As described in greater detail be! ow, diis azdntecture CTiploys a scalable, multi-layered 
approach that has both server-side and client-side conqx>nents for antiviral defense, as well as the 
provision of firewalls for handling intruders, hi a preferred embodiment, resilience is achieved 
by featuring multiple Servers for redundancy. This architecture is. also designed to be used by 
fiiird parties usider subscription, simply by turning on the third party's customer domain in the 
network. 

(16J In the ^dbitecture illustrated in FIG. 1 , one or more fiont-end switches 110 are coupled to 
the Inlemet backbone 100 and provide the basic gate^keeping functionality of the architectures. 
In one implementation, the fiont-<nd switches 110 also measure and record the communications 
traffic between the customers' systCTos and the Introiet for billing purposes. The fiont-end 
switches 110, which may be implemented with one or more CISCO™ 6509 switches, arc thus 
responsible for receiving communications from the Internet backbone 110, directing the hitemet 
commumcation to an appropriate security server for detecting and responding to incoming 
tfareatSi and load balancing among the security servers. Accordingly, the fiont-end switches 110 
are positioned to is^erccpt incoming electronic mail and other communi cations before they are 
routed to the customers' systems. The switches are also comiected directly to DoS/DdoS 
scanoing/filtering switches operating at line speed. 

(17J A local area network 120, such as a fiist ETHERNET™ nctworic, couples the front-end 
switches 110 with the security servers, which comprise, for example, one or more mail proxy 
servets 130, one or more antivirus scanning servers 140, one or more client antivirus servers 150, 
one or more decoy servers 160, and a quarantine server 170. The front-end switches 1 10, the 
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inaii proxy servers 130. the aadvirus sciuming servers 140, the client antivirus servers 150, and 
the decoy servers 160 are in communication with a bub 180, which conmiunicates with client 
intranets 190 that belong to respective customers. 

[18] Each of the security servers may have a console that is connected to it, to allow an 
opttBtor to perfomi axiministrati ve and other tasks on the corresponding server. For example, as 
illustrated in FIG. 1, a console 161 is provided to allow the opwalor to access and perfonn 
administrative tasks on one of the decoy servers 160. 

[19] In one embodiment, devices are configured to report events to an overall security 
maziager 195, e.g., HP OpenView™ or eSecurit/s Management system, for correlation of the 
security events across the network, system and application layers. Furthermore, policy rules for 
enabling customizatioa of the system functions arc kqit in a policy server, whidii keeps the 
poHcyniles in apoUcy database tied into the profile rrianagdzLCTitsystein. The profile 
management system may also be used for service authorization. The security manager 195 is 
pxefoably installed on a server on a separate subnet, such as a Security Operations Center (not 
shown), which monitors the local area network 120 and receives alarms ficom Ihe servers located 
in the local area network 120, or on the intranet 190 at a security administrator's desktop. 

Antivirus Scanning 

[20] One aspect of the present invention relates to a server-side antivirus deployment to 
protect client intranets 190 from incoming viruses and other kinds of malicious code* Referring 
to FIG. 2, incoming electronic mail is received by the front-end switches 110 from the Internet 
badd^one 100 (st^ 201). This electronic mail may contain viruses that have been attached 
innocently or deliberately by the outside user lOl, or may be embedded in the body of the e-mail 
itself, e,g., as an HTML bug or Java script. 

[21 1 At step 203, the front-^d switches 1 10 direct the incoming electronic mail and any otho- 
messages received on the SMTP port over the local area network 120 to one of the mail proxy 
servers 130. Although the following discussion svill refer throughout to incoming electronic mail 
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messages by way of a common example, the present mvendon is not so limited and the principles 
described herein are applicable to iacoming files via FTP, HTTP or other file transfer 
mechanisms from the Internet bacldK>ne 100. In addition to files, data streams or the actual body 
of a mail message or HTML page may contain, s^pts which may act maliciously. 

. [22| Hie mail proxy server 130, in response at step 20S, examines electronic mail messages to 
detennine if the electronic mail messagies and/or attacfameofs need to be scanned for viruses. 
Tliis detamination can be done in accoxdaoce with a policy, tibat may be set by the customer or 
title service provider, to pennit setting a proper balaace between security and performance. 
Accordingly, the particular policy may vaiy firom implementation to implementatioa and, indeed, 
from one installation to another. For example, the policy can state that all executable 
attachmoits should be scanned for viruses. The policy can also state that all documents with 
embedded macros should be scanned for viruses, hi fact, one policy can specify that all 
electronic mail messages are to be scanzied for viruses. When the mail proxy server 130 
determines, in accordance with the policy^ that, the electronic mail message needs to be scanned, 
the mail proxy server 130 sends the electronic mail messaq^ to one or more of the antivirus 
scanning servers 140 for that operation (stqp 207). The inaU proxy also verifies that ^tfaer the 
smd^ or receiver ofthe message is an autihxirized user of diis service Thismaybe 
accomplished by any of several well known authentication m^hods, one example of which 
would be the use of a user id and password credential stored in a profile management system. 

[23 J When, the electronic mail message is received by one or more of the antivirus scanning 
servers 140, the electronic mail message is scatmed for malicious code (st^ 209). In one 
implementation, antivirus scanning software on the one or mote of the antivirus scanning servers 
140 CTiploys a catalog of viral signatutes, wfai^ are often ^mple strings of bytes that are . 
expected to be found in every instance of apiffticular virus. Usually, dififerent viruses have 
diffoCTt signatures, and the antivirus scanning software use signatures to locate specific viruses. 
To improve coverage, antivirus scanning software fi-om multqile vendors may be employed, and 
the scanning may be performed on respective antivirus scanning servers 140 for improved 
pCTformance as described in the co-pending commonly assigned patent application serial no. 
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entitled "System and Method for Malicious Code Detection" filed on by 

HoefelxQ^er aad Phillips (attorney docket no. 09710-1010, client docket no. COS-00-017), the 
contents of which are hereby incorporated by reference in their entiiety. 

{24} If the electronic mail message is infected, tested at step 21 1, then the antivirus scanning 
server 140 may atteaoapt to repair the infected portion of the electronic mail message, e.g. an 
attacfamoit (step 213), as determined by policy. If the electronic mail message or its attachment 
cannot be repaired (tested at step 215), then the electronic mail message is quarantined (step 217) 
by transfeiring the original, infected electronic mail message to the quarantine server 170 and by 
removing the infected portion from the electronic mail message to create a sanitized electronic 
mail message; this action may be varied by policy. The infected electronic mail message can be 
analyzed at the quarantine server 170 to study the virus, e.g. to generate a new viral signature or 
determiae a new way to sanitize or repair a file infected with the virus. 

[25] In either cas^ when the electronic mail message is infected, the sender and recipient of 
the electronic mail message may be notified of the detection of the viral infection (step 219), as 
determined by policy. This notification may be performed by appending text explaining the viral 
infection to the body of the electronic mail message or as a new attachment or even by 
composing and siding a new electronic mail message to the sender and recipient of the infected 
electronic mail message. 

£26] When die electronic mail message has been sanitized, by passing the antiviral scan (step 
209), being repaired (step 213), or being quarantined (step 217), the sanitized electronic mail 
message is directed to the recipient, via hub 180 and the appropriate intranet 190. Accordingly, a 
scalable, resilient servCT-side antivirus scarming architecture is described, in which preferably 
multiple mail proxy servers 130 and antivirus scanning searveis 140 are deployed to catch and 
sanitize incoming electronic mail messages. When malicious code is detected, an event is 
generated to the security cdanagement system. 
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Client-^idb AmrvxRus DiSTRiBunoN 
[27] Aaother aspect of the present invention pertains to distribution of client-side antivirus or 
ofba security software. Not aU malicious ccMle enters a company's computer network via 
incoming electronic mail messages or other kinds of files transferred from the Internet via a file 
. txmisfer pxotocoL For example, malicious code may be transmitted to the oompznys coniputeis 
0rj9ie company's intranet via files that are borne on portable computer-readable media; such as a 
flbppy disk or CD-ROM, and inserted into one of flie company's computers. As anoffaer 
example^ the incoming electronic mail message or transferred file is encrypted and cannot be • 
scanned before fbfi recipient decrypts ttie incoming file; or the incoming electronic mail message 
is retrieved directly fiom a user's pqrsonal mail account e.g., Yahoo, rather than throu^ flie 
corporate mail server. 

£281 In. accordance with this aspect of the present invention, a system and method are provided 
fiir installing client-side antivirus scanning software on each of the company's computers. The 
cHCTt-side antivirus scanning software is responsible for scanning files that are borne on portable 
compnter-readable medium or locally decrypted to determine whether the files are safe or need 
repair and/or quarantining. In conventional systms, it is difficult and staff-^wer intensive to 
maintain multiple installation of client-side antivirus scanning software, typically resulting in 
poor antivirus coverage becaxise new updates to the client-side antivirus scanning sofl^vare are 
not applied to ^e clioats^ systems. This difficulty is addressed in one embodimmt of the present 
invCTtion by providing a centralized client-side antivirus scanning software source and causing 
fixe cUeot systems to automafically and periodically download updates. 

(29f 3 illustrates the opearation of one implementation of installing client-side antivirus 

scantling software. At step 301, an operator at one of the client's con^iuters directs a browser to 
a location on one of the client antivirus s^ers ISO, e.g. by typing the URL (Uniform Resource 
Locator) of a web page for downloading the client-side antivirus scanning software. In response, 
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a web page is displayed at the clieat's browser and the operator performs an action (such a^ 
clicking on a button or pressing the return key) to initiate the installation, 

[30J At step 303, the installation request is received by the client antivirus server 150 from the 
browser. la response^ the client antivirus server 150 checks the network address of the browser 
wifhalist of the subscribing climta' network addresses (step 305). Ifthenetwoik address of the 
browser does not match the list of subscribing clients' netwoik addresses, then the request is 
denied (step 315), thereby denying use of this system for non-subscribm. Alternatively, 
authorization to download die client-side antivirus scanning software can be controlled tbrougih 
passwords, public keys, or other forms of authentication, e.g.,a wireless phone'sSubscriber 
Iden'dty Module (SIM), all of which maybe stored in the profile management system. 

[31 ] on the other hand, the network address of the browser does indeed match fiie list of 
subscribing clients* network addresses, then execution proceeds to step 307 where the client 
antivirus server 150 opens a file transfer session to the cUent's computer. At step 309, the client- 
side antivtrus scanning software Is downloaded to the client's cozEgputer along with any data 
necessary, such as a database of updated viral signatures. The client-side antivirus scatming 
software is also configured at stq> 311, during this installation process, to periodically puU 
updates of the antivims scanning software and data. To distribute the load for multiple clients' 
downloading the iqnlates, a randomization function may be used to set a respective update time 
during an eight-hour window, e.g, between 10 p.ni. and 6 a.m. Thus» the automatic updating of 
the cliCTt-side antivirus scaiming software and data is evenly distributed througbout (his period, 
rendering the system as a whole more scalable and resilient 

[32] To ensure that the clients^ conqiater systems will bave.tfae latest updates of the client-side 
antivinis scanning software, the client antivirus servers 1 50 are configured to periodically (e.g. by 
an entry in a UNIX™ cron table) to pull the latest updates from the vendors of die client-side 
antivirus scanning software (step 3 13). Accordingly, a scalable and octensible client-side 
antivirus scanning systraa is described, ui which a common interface for installing the client-side 
antivirus scanning software is presented to each of the client*s computes and configures the 
computers to automatically pull down the latest updates to the client-side antivirus scanning 
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soAware and data on a periodic basis. As a result, tlie difBculdes of conventional, staff^inteosivc . 
approaches are alleviated. 
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Decoy Servers 

[33] Computer viruses, whether commuxiicated by electronic mafl or through portable 
computer-readable media, are not the only security threats to a computer network. For example, 
a hacker could use active means, such as using a Telnet connection or flie SubSeven Trojan 
horse, to intrude iq>on and possibly damage a computer system on flie Accoidingly, one 

©mbodiment of the presCTt invention provides intrusion detection, such that intruders are diverted 
to a decoy environment in which the inttuders' actions are monitored, controlled, and contained. 

[34] FIG. 4 is a flowchart illustrating the opCTation of one implementation for intrusion 
detection in accordance with an embodiment of the present invention. At step 401, the fixxnl-end 
switches 110 received commmucations firom an outside user 101 via the Internet backbone 100. 
These communications can take a variety of forms and may include, for example, telnet session, 
pingis, and packets sent to any of the IP ports of computers in the Lntranets 190. 

[3S1 At step 403, the front-end switches 1 10 detennine whether the communication source is 
au&orized to transmit traffic into the mtr^ets 190. Various approaches can be used to make this 
deteonination. For example, the firont-end switches 1 10 may maintain a list of known, 
previously identified threat domains. In this example, all traffic originating from the idmtified 
threat domains are tagged as suspicious. In another example, traffic origination firom any of 
suspect domains (also maintained in a list) is considered suspicious. In still anotb^ example, 
any fzaffic from specific unauthorized IP addresses are deemed suspicious. If ttie incoming 
oommunication uses ports that arc not used by any of the applications on the customecs' intranets 
I^, (hen the incoming communication is flagged as suspicious. If the incoming communication 
is authorized in the sense of not bdng deteanined to be suspicious (tested in step 405), then 
execution branches to step 415 where the authorized communication is routed to the destination 
within the intranets. 

[36] It on the other hand, the incoming communication is not authorized (tested in step 405), 
then execution proceeds to step 407 where the incoming communication is routed to one of one 
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or more decoy servers 160. A decoy server 160 is a computer system that is configured to look 
like the clieat's compute system. Thus, v/bsa the unauthorized communication is routed to the 
decoy server 160, the decoy saver 160 simulates die client^s compute system (step 409). 
Because the decoy server 160 is sqiazate fiom the client's oonqiuter systrai, any activity at die 
decoy sdrver 160 per&raied by die intruder will not affect the client's computer system. &i one 
embodiment, flie decoy server 160 also includes some un-patched operating system/application 
holes to look more pealing or breaksble to a would-be intruder. 

f 37] When tiw intruder takes the bait of the decoy sorva- 1 60, all actions and keystrokes of the 
intruder are logged to the administration console 16 1 (step 41 1). Consequently, die intruder's 
action can be studied to understand die nature of the intrusion and ieam how to counter the 
intrusion or to ascertain the source of the intrusion. The intcudCT's actions are logged in sufficient 
detail to mable investigation and possible prosecution. In addition, an electronic mail alat can 
be sot fiom ibe adminis tration console 161 to an operator to wam that a peDctration attempt is 
undoway. 



Securtty Managbr 

[38] In one embodiment, when individual attacks are detected, events are generated and sot to 
a security manager 195. The security manager 195 correlates diese events across the ent«»prxse to 
detect multi-pronged and multi-phased attacks, which may come fiom differmt netwoik 
locations and with different methods. The security manager 195 may respond to Ifaese^detected 
overall patterns of attack in various s^ropriate ways, such as automatically deploying additional 
security safeguards, making a change dictated by policy, or requesting human intervention. The 
detected nodes of attack vectors can be tracked back across die hitemet, either by human 
methods of forensic analysis, or automadcally through use of automated tracking tools, e.g.. 
Recourse Technologies ManHunt™ system. Based on po]icy, counterattacks may be launched, 
using, for example, industry available attack methods, hi addition, logs of all acd\n[tie5 may be 
kept for forrasic analysis and/or legal action. 

12 
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Hard WARE Overview 

[39] FIG. 5 illustrates a computer system 500 upon which an embodiment according to (he 
present inventian can be^ implemented The computer system 500 includes a bus 501 or ofiior 
communication mechanism for communicating informatron. and a processor 503 coupleil to the 
bus 501 for proc^sing information. The computer system 500 also includes main memory 505, 
suciL as a random access memory (RAM) or other dyoaadc storage device, coupled to the bus 5dl 
&r storing infonnation and instructiQns to be executed by the processor 503. Main memory 505 
can also be used for storing tecq>orary variables or other intCTnediate information dining 
execution of instmctions to be executed by file processor 503. The computer system 500 further 
includes a read only memory (ROM) 507 or other static storage device coupled to the bus 50 1 for 
storing static information and instructions for die processor 503. A storage device 509^ such as a 
magnetic disk or optical disk, is additionally coupled to the bus 50 1 for storing infomxatioo and 
instructions. 

140] The computer systCTi 500 naay be coupled via the bus 501 to a display 51 1, such as a 
cathode ray tube (CRT), liqiiid crystal display, active matrix display^ or plasma display, for 
displaying infonnatioti to a computer user. An input device 513, such as a keyboaid including 
alphanumeric and oth^ keys, is coupled to the bus 501 for commimicating information and 
command selections to the processor 503, Another type of uiser input device is cursor control 
515^ such as a mouse, a trackball, or cursor direction keys for communicating direction 
xnfomiation and command selections to the processor 503 and for controlling cursor movement 
on the display 511. 

[41] According to one embodiment of the invendon^ computer netivock security is provided by 
the computer system 500 in response to the processor 503 executing an arrangement of 
instmctions contained in main memory 505. Such instructions can be read into main memory 
505 finm another compute-readable medium, such as the storage device 509. Execution of the 
arrangement of instmctions contained in main memory 505 causes the processor 503 to p^orm 
the process steps described herein* One or more processors in a multz-processing anangement 
may also be employed to execute the instmctions contained in main memory 505 . La alternative 
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embodiments, hard-i^vired circuitry may be used ia place of or in combination with software 
instaxctions to implement tbc anbodiment of the present invention. Thus, embodiments of the 
piesmt invention are not limited to any specific combination of bardwre circuitry and software. 

[421 The computer system SOO also includes a communication inter&ce 5 1 7 coupled to bus 
501. Th^ ^mfminig arion mterfacg 517 pnovidea a twD-wav data communication coupling to a 
network link 519 connected to a local netwoik 521. For example, the communicatian intesc&ce . , 
517 may be a digital subscriber line (DSL) card or modem, an integrated services digital network 
(ISDN) card, a cable modem, or a telqpbone modem to provide a data communication connection 
Co a corresponding type of telephone line. As another examplci communication intetface 517 
ni^be a local area network (LAN) card (e.g. for Etheoiet™ or an Asynchronous Transfer Model 
(ATM) network) to provide a data communication connection to a con^atible LAN« Wireless 
Ymlcn can also be implemented, hi any sudi implementation, communication interface 517 sends 
and receives electncal, electromagnetic, or optical signals that carry distal data streams 
repi^enting various types of infbmiation. Further, the communication interi&ce 517 can include 
pmpheral interface devices, such as a Umvoraal Soial Bus (USB) mtoface^ a PCMCIA 
(Personal Compute Memory Card International Association) inter&ce, etc. 

[43] The network link 519 typically provides data coBomunication throu^ one or more 
networks to other data devices. For example, the network link 519 may provide a connection 
throng local netwoik 521 to a host computer 523, which has connectivity to a network 525 (e,g. 
a wide area network (WAN) or the global packet data comimunicatioa netwoik now commonly 
refenred to as the "Internet") or to data equipmoit operated by service provider. The local 
network 521 and network 525 both use electrical, electromagnetic, or optical signals to convqr 
information and instructions. Hie signals throu]^ the various networks and the dgnals on 
network link 5 19 and through communication intei£u:e 5 17, which communicate digital data 
with computer system 500, are exemplary forms of carrier waves bearing the information and 
instructions. 

[441 computer system 500 can send messages and receive data, including program code, 

through the nelwork(s), network link 519, and communication inter&ce 517, In the Internet 
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example, a server (not shown) might transmit requested code belonging to an application 
program for implementing an embodiment of die present invention through the network 525, 
local n^ork 521 and communication interface 5 17. The processor 503 may execute the 
transmitted code while being received and/or store the code in storage device 509, or odier non- 
volatile storage for later execution. Jn this manner^ computer system 500 may obtain application 
code in the fonn of a carrier wave. 

(45] The tern •'computer-readable medium" as used herein refers to any medium that 
participates in providing instructions to the processor 503 for execution. Such a medium may 
take many forms, including but not limited to non-volatile media, volatile media, aad 
transmission media. Non-volatile media include, for example, optical or magnetic disks, such as 
storage device 509, Volatile media include dynamic memory, such as main memory 505, 
Transmission media include coaxial cables, copp^ wire and fiber optics, including the wires that 
comprise bus 501. Transmission media can also take the form of acoustic, optical, or 
electromagnetic wavcs^ such as those generated during radio firequency (RF) and infirared QK) 
data cotDmunications. Common forms of computer-readable media include, for example, a 
floppy disk, a fl^ible disls; hard disk; magnetic tape, any other magnetic medium, a CD*ROM, 
CDRW, DVD, any other optical medium, punch cards, paper t^e, optical mark sheets, any other 
phy^cal medium with patterns of holes or other optically recognizable indicia, a RAM, a PROM, 
an EPROM, a FLASH-EPROM, any odier memory chip or cartridge, a carrier wave, or any other 
medium from ^^ch a computer can read. 

[461 Various forms of computer-readable media may be involved in providing instructions to a 
processor for execution. For aample, the instructions for carrying out at least part of the present 
invmtion may initially be borne on a magnetic disk of a ronote computer. In sudi a scenario, the 
remote computer loads the instructions into main memory and scads the instructions over a 
telephone line using a modem. A modem of a local computer system receives the data on the 
telephone line and uses an infrared transmitter to convert the data to an infirared signal and 
tmnsmit the infirared signal to a portable computing device, such as a personal digital assistant 
(PDA) or a laptop. An infirared detector on the portable computing device receives the 
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9 



ilifonnation aod iBstructions borne by the ixifiraied signal and places tbc data on a bus. The bus 
conveys the data to main memoiy, from which a processor retrieves and executes the 
instmctions. The instructions received by main mCTioiy may optionally be stored on a storage 
device either before or after execution by processor. 

[47[ White the present invention has been described in connection with a numba of 
embodiiaDt^ts and implemoitations, the present invention is not so limitod but covers various 
.ob^tts modifications and equivalent airangements, which fiill within flie purview of flie 
qypeoded claims. 
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CLAIMS 

WHAT IS CLAIMED IS: 

I. A network security system to be deployed between a plurality of intranets belonging to 
respective organizations and an internet backbone, comprising: 

a scanning system coupled to the intraaets for scaruiing incoming electronic mail for 
malicious code; 

ad anti-virus server coupled to the intranets for downloading anti-virus code to clients 

coupled to the intranets; and 
a switch coupled between the internet baclcbone, the scanning system, and the anti-virus 

server, said switch configured for: 

directing incoming electronic mail from the internet backbone to the scanning system. 

2. A networic security system according to claim 1 , further comprising: 

a decoy server coupled to the intranets for masquerading as a legitimate server and logging 

activity on communications received via the internet backbone; 
wherein the switch is further coupled to the decoy server and is fixrther configured for 

redirecting suspicious trafHc from the internet backbone to the decoy server. 

3. A network security system to be deployed between a plurality of intranets belonging to 
respective organizations and an internet backbone, comprising: 

a; scanning system coupled to the intranets for scaiming incoming electronic mail for 
malicious code; 

a; mail proxy server for determining whether' the incoming electronic mail is to be scanned for 
malicious code and directing the incoming electronic mail to the scanning system lyhen 
thee incoming electronic mail is determined to; be scajmed for malicious code; 
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an anti-vims scr\cr coupled to the intranets for downloading anli-virus code to clients 

coupled to the intranets; and 
a switch coupled between the inleniei backbone, the scanning system, and the anti-virus 

serveft said switch configured for: 

directing incoming electronic mail from the internet backbone to the mail proxy server. 

4. A network security system according to claim 2» further comprising: 

a decoy server coupled to the intranets for masquerading as a legitimate server and logging 

activity on communications received via the internet badcbone; 
wherein the switch is further coupled to the decoy server and is fiirthcr configured for 

redirecting suspicious traffic from the internet backbone to the decoy server. 

5. Al network security system to be deployed between a plurality of intranets belonging to 
respective organizations and an interact backbone, comprising: 

a piiuality of scanning systems coupled to the intranets for scanning incoming electronic mail 
for malicious code; 

a plurality of anli-virus servers coupled to the intranets for downloading anti-virus code to 

clients coupled to the intranets; 
a plurality of switches coupled between Ac internet backbone* the scanning systems, and the 

anti-virus servers, said switches configured for: 

directing incoming elecu-onic mail to at least one of the scanning systems. 

6. A network security system according to claim 5, \%herein the switches are further 
coniigured for: 

load-balancing among the scaiuiing systems and among the decoy servers. 

7. A networic security system according to claim 5, further comprising: 
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a plurality of decoy secvers coupled lo the intranets for masquerading as legitimate servers 
and logging activity on communications received via the internet backbone; 

wherein die switches are fiirther coupled to the decoy servers and are further configured for 
redirecting suspicious traffic from the internet backbone to the decoy servers. 

8. A method for maintaining network security system between a plurality of intranets 
belonging lo respective organizations and an internet backbone, comprising: 

direcUng incoming electronic mail from the internet backbone lo a scanning system; 
scanning incoming electronic mail for malicious code; and 
downloading anti-virus code to clients coupled to the intranets. 



9. A method according to claim 8, further comprising: 

redirecting suspicious traffic from the internet backbone to the decoy server; 
simulating the decoy server as a legitimate server to the suspicious traffic; and 
logging activity on communications received via the internet backbone. 

10. A method for maintaining network security system betwwn a plurality of intranets 
belonging lo respective organizations and an internet backbone, comprising- 

directing incoming electronic mail from the internet backbone to one of a plurality of mail 
proxy servers; 

at the one of the mail proxy servers, dcteraiining whether the incoming electronic mail is to 
be scanned for malicious code and directing the incommg clecironic mail to a scanning 
^em when the incoming electronic mail is detennioed lo be scanned for malicious 
code; 

at the scaiming system, scanning incoming electronic mail for malicious code; 
downloading anti-virus code to clients coupled to the intranets. 

11. A mediod according to claim 1 0, further comprising: 
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load'balancmg among the roai] proxy servers. 
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